Post navigation

Do Kings Play Chess on Folding Glass Stools?

On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software security process in which Window Snyder (former Microsoft security strategist) said “These are entire classes of vulnerabilities that I haven’t seen externally. When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.” referring to vulnerabilities that were proactively removed. The article goes on to say “Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.”

Anyone else curious about these? Less than a year, and three new classes of vulnerabilities? Come on Window, you left Microsoft, you can speak up now! Steffan, spill the beans, give us details!

So, here are the details. No, just kidding. I can’t talk about the details, but what I can talk about are taxonomies. I can talk about taxonomies for hours. I think, by analogy, that stack smashing may be an order. Perhaps a family. Closely related are the integer overflow and format string. Each places code in the expected path of execution, overwriting it. More distant are command stuffing (my term for the classic “; echo $stuff > /etc/passwd”) or sql injection. Cross site scripting belongs to the phyla of code/data separation, or perhaps the family of output validation.

I’m not sure if there’s a taxonomy here at all. By taxonomy I mean a repeatable, exclusive, reproducible system of questions that a variety of experts can ask of a sample and classify it in the same way. To be a taxonomy, you need exclusivity. You can’t be both a person and a penguin. Not all data fits neatly into taxonomies because of that exclusivity requirement. You can, for example, be both a Mac and Windows user. Thus, being a Mac or PC user isn’t a good taxonomic classification.

What’s the natural ordering of relations of emergent phenomenon?

Oh, the title? It’s a memonic for the Linean taxonomy of life: kingdom, phyla, class, order, family, genus, species. And the photo is Drawers of Curiosities, by smalleyta.

Having thought quite a bit about taxonomies as part of the CWE project and general CVE-ness, I think one of the biggest challenges for vulnerability classification is that most vulns are not ‘atomic’. Think of symlink issues, which combine randomness, race conditions (sometimes), permissions, and non-atomic actions (making a temp file in 2 steps instead of one), not to mention API/design limitations that make symlink issues possible in the first place. Or directory traversal which, if you get beyond just “..”, brings in elements of canonicalization or order-of-operations. You could also argue that what I’m talking about are attacks instead of vulns. For many issues, there can be several sequences of actions and conditions that, when combined, form a vuln. In some ways integer overflows are related to buffer overflows, but only if they occur in parts of the code that deal with copying data; there’s no reason why an integer overflow can’t be part of a numeric comparison that decides whether someone should get special privileges. And then think about the fact that if an integer overflow occurs, *a mistake was already made* somewhere earlier. And, XSS and exploitable buffer overflows both share the property of mixing data and code. Now maybe we just haven’t identified the correct properties to form the ideal taxonomy for uniquely identifying vulns, and I have some emerging thoughts on that, but I think we still have a good way to go.